VMware vSphere 7.0 vCenter Appliance UI Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000439-WSR-000155
Group -
SRG-APP-000516-WSR-000174
Group -
The vSphere UI default servlet must be set to "readonly".
The default servlet (or DefaultServlet) is a special servlet provided with Tomcat that is called when no other suitable page is found in a particular folder. The DefaultServlet serves static resour...Rule Medium Severity -
vSphere UI must limit the maximum size of a POST request.
The "maxPostSize" value is the maximum size in bytes of the POST which will be handled by the container FORM URL parameter parsing. Limit its size to reduce exposure to a denial-of-service attack. ...Rule Medium Severity -
vSphere UI must protect cookies from cross-site scripting (XSS).
Cookies are a common way to save session state over the HTTP(S) protocol. If an attacker can compromise session data stored in a cookie, they are better able to launch an attack against the server ...Rule Medium Severity -
vSphere UI log files must only be accessible by privileged users.
Log data is essential in the investigation of events. If log data were to become compromised, competent forensic analysis and discovery of the true source of potentially malicious system activity w...Rule Medium Severity -
vSphere UI application files must be verified for their integrity.
Verifying the vSphere UI application code is unchanged from its shipping state is essential for file validation and nonrepudiation of the vSphere UI. There is no reason the MD5 hash of the RPM orig...Rule Medium Severity -
vSphere UI must not be configured with the "UserDatabaseRealm" enabled.
The vSphere UI performs user authentication at the application level and not through Tomcat. By default, there is no configuration for the "UserDatabaseRealm" Tomcat authentication mechanism. To el...Rule Medium Severity -
vSphere UI must have Multipurpose Internet Mail Extensions (MIME) that invoke operating system shell programs disabled.
MIME mappings tell the vSphere UI what type of program various file types and extensions are and what external utilities or programs are needed to execute the file type. By ensuring various shell s...Rule Medium Severity -
vSphere UI must not have the Web Distributed Authoring (WebDAV) servlet installed.
WebDAV is an extension to the HTTP protocol that, when developed, was meant to allow users to create, change, and move documents on a server, typically a web server or web share. WebDAV is not wide...Rule Medium Severity -
vSphere UI must fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.
Determining a safe state for failure and weighing that against a potential denial of service for users depends on what type of application the web server is hosting. For the Security Token Service,...Rule Medium Severity -
vSphere UI must set URIEncoding to UTF-8.
Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unantici...Rule Medium Severity -
vSphere UI must be configured to hide the server version.
Web servers will often display error messages to client users with enough information to aid in the debugging of the error. The information given back in error messages may display the web server t...Rule Medium Severity -
vSphere UI must have the debug option turned off.
Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or t...Rule Medium Severity -
vSphere UI log files must be moved to a permanent repository in accordance with site policy.
vSphere UI produces several logs that must be offloaded from the originating system. This information can then be used for diagnostic, forensics, or other purposes relevant to ensuring the availabi...Rule Medium Severity -
vSphere UI must set the secure flag for cookies.
The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP response. The purpose of the secure flag is to prevent cookies from being...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.